Slashdot Mirror

← Back to Stories (view on slashdot.org)

XSS Can Take Down Your IoT Wind Turbine (softpedia.com)

Posted by Soulskill on from the winds-of-unchange dept.

An anonymous reader writes: ISC-CERT is warning of a critical vulnerability (score 9.8 out of 10) in Internet-enabled XZERES 442SR wind turbines. According to CERT, the Web administration portal of these portals is subject to the simplest XSS attacks (modifying IDs for admin access), which even the most basic n00b-level hackers can perform. This is yet another security bug in critical IoT equipment, like the Midas gas detector.

68 comments

  1. Why IoT ? by Anonymous Coward · · Score: 1

    Now solar arrays require Internet connectivity. What happens when that company flames out, and your 25K USD investment sits there with a 00:00 blinking on its clock?

    None of this needs connectivity. Too many Millenials.

    1. Re:Why IoT ? by Mr+D+from+63 · · Score: 3, Funny

      Most solar panels, even those not connected, have a security flaw. Its called the 'tossed brick' vulnerability. Its hard to believe they have ignored this threat for so long.

    2. Re:Why IoT ? by MasseKid · · Score: 1

      These items don't need WAN access, they really just need LAN access, though to most people that's the same thing. It's a lot easier if I can remotely check the status and health of the turbine from the ground rather than having to climb a tower and plug in a USB cable.

    3. Re:Why IoT ? by ThosLives · · Score: 1

      That probably won't bring down the entire array though; just reduce its output slightly. Plus, "tossing bricks" requires a physical presence (I don't think any commercially available drones can carry bricks yet, although if people start stealing Amazon drones, I guess they will...) so has much higher risk.

      --
      "There are a dozen opinions on a matter until you know the truth. Then there is only one." - CS Lewis (paraprhase)
    4. Re:Why IoT ? by KGIII · · Score: 2

      My solar and wind both have a box that display output, current storage, what's going out over the mains, etc. It has a history and all that. I can connect to it via a browser but I can't do it from outside of my LAN. If the source traffic isn't from within the local network, it's not getting there. Yes, there is a firewall and a NAT router between them and the 'net. Hell, I'm pretty sure one of the settings will let me configure it so that I can only connect to it with a specific IP address and then I still need user/password to view it. I'd also add, I can't actually *do* anything to it from the information panel. That requires that I go down and use physically use the controller in the basement.

      So, no... I don't think XSS can take down my wind turbine. It just doesn't seem likely. It might take down somebody else's but the odds of it taking down mine are pretty damned slim. I might not be the most intelligent person on the planet and that's my saving grace. See, I know that I'm not intelligent enough to put it on the internet safely.

      --
      "So long and thanks for all the fish."
    5. Re:Why IoT ? by Anonymous Coward · · Score: 0

      Yes but a "Distributed Tossing Brick" attack, aka DTB, most certainly will.

    6. Re:Why IoT ? by aicrules · · Score: 1

      even though this whole branch of the replies is in jest, there are many drones available that can carry a brick. Specifically getting one designed to carry and drop something may reduce the field of available options, but still there and commercially available. Still...requires relatively (compared to internet) close physical presence.

    7. Re: Why IoT ? by Anonymous Coward · · Score: 0

      Never heard of Lexan? Actually I'm sure quite a few sysadmins haven't. Gonna take a hell of a lot more than a brick.

    8. Re:Why IoT ? by Anonymous Coward · · Score: 0

      At a guess: it could give you some nice functionality like logging generation data or some sort of "smart grid" functionality (turn off now - we have an oversupply, that kind of thing).

      That said, this seems like a very marginal gain for the potential problems (like most IoT stuff really), and frankly the functionality I've guessed at would be better located in your inverter of smart meter.

      Actually one useful feature for larger turbines would be to angle to blades to catch less wind if there is a gale predicted, like happens in the commercial size turbines. Not sure if consumer sized turbines offer that feature though...

    9. Re:Why IoT ? by Anonymous Coward · · Score: 0

      Actually for a small home array it would, unfortunately, as they are often connected in series.

  2. Midas gas detector? by Anonymous Coward · · Score: 0

    You mean it can find gold? I'll take one! :)

  3. Ingenuity over Security == usually wins by adosch · · Score: 3, Funny

    The whole IoT movement is ridiculously scary IMHO. It certainly champions innovation, creativity and sense of coolness to your technical engineering feat, but having new ideas, making cool devices you can interact with over a network/lan/internet unfortunately will always be the lower hanging fruit to becoming even an amateur fly-by-night web/os/network security expert, even with the gobs of free security tools out there to scan your device and mitigate the easiest of attack vectors.

    It's honestly almost too easy anymore for anyone at any level to grab an Arduino, RPi, some turn-key sensor solutions and with a handful of pre-written code off Github or a blog post, be excited about 'look what I did' while Johnny Hacker owns it and makes it a part of his Botnet network.

    Bring back the physical serial port to manage it all, man! Like "more cowbell", we need "more RS-232" ....totally kidding.

    1. Re:Ingenuity over Security == usually wins by Lumpy · · Score: 2

      IOT movement is based on the highly uneducated that think they are being clever. Then they hire guys that are just as uneducated as them to work on it. Because anyone with a clue will tell them, "Um, that is a bad idea" so they dont hire them.

      --
      Do not look at laser with remaining good eye.
    2. Re:Ingenuity over Security == usually wins by Sique · · Score: 2

      On the other hand: remote control of and communication between infrastructure items is nothing new. The VMEbus ANSI/IEEE 1014-1987 does the same, it just uses no 802.x link layer and no IP protocol.

      --
      .sig: Sique *sigh*
    3. Re:Ingenuity over Security == usually wins by Anonymous Coward · · Score: 0

      It certainly champions innovation, creativity and sense of coolness to your technical engineering feat,

      Please, link some example that supports this claim. Even just one. Everything of the IoT blather that I've encountered has been a variant of "something that works, but integrated with Twitter and no offline mode."

    4. Re:Ingenuity over Security == usually wins by Anonymous Coward · · Score: 2, Interesting

      People are confusing simple network access with ZOMG TEH INTERNET!. These 'insecure' devices are perfectly fine and dandy if your network design is correct. Tons of IP camera installs on their own little network with only a HTTP\RTSP proxy between them and the local intranet. So Internet VPN Intranet Proxy\DVR insecure cam net. Why would I give a crap about the default password on each local camera at that point?

      To use your RS232 example, imagine the FIELD DAY "hackers" these days would have with such an "insecure" technology without the proper context of where and how it should be used. Unencrypted, ASCII encoded, with no access-control protocol for critical systems?!?!?! THE SKY IS FALLING!

    5. Re:Ingenuity over Security == usually wins by BVis · · Score: 1

      Because anyone with a clue will want fair compensation so they dont hire them.

      FTFY. There's a difference between value and cost, and most of the time the only thing people think about is cost.

      --
      Never underestimate the power of stupid people in large groups.
    6. Re:Ingenuity over Security == usually wins by UnknowingFool · · Score: 1

      The whole IoT movement is ridiculously scary IMHO. It certainly champions innovation, creativity and sense of coolness to your technical engineering feat, but having new ideas, making cool devices you can interact with over a network/lan/internet unfortunately will always be the lower hanging fruit to becoming even an amateur fly-by-night web/os/network security expert, even with the gobs of free security tools out there to scan your device and mitigate the easiest of attack vectors.

      I would agree with you for most consumer applications like a IoT refrigerator. In the case of wind turbines, it is somewhat vital to be on a network.For example, controlling the turbines to change directions as wind conditions change. Some of them are located in remote areas and they do require maintenance. Signalling that maintenance may need to be performed via a network as opposed to a worker having to climb up each turbine periodically to figure out if there is something wrong.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    7. Re:Ingenuity over Security == usually wins by postbigbang · · Score: 1

      Like a zillion other hacks, the probability of an attack is perhaps low.

      The probability increases when you get a payload as a .jar or zip or whatever in an email that drops a json or REST sequence onto your network, taking down an industrial control set-- in this case instructions to do stupid stuff-- to gear you or your company owns.

      The important conclusion for this is that people are turning out super-crap code, and although various protections might help, most civilians don't know what those protections are. Hell, we can't even get people to use basic security on their WiFi APs.

      You therefore wonder-- Ingenuity? Not here.....

      There are a handful of coders represented here that need to be taken behind the woodshed or find new gigs on Thai fishing boats.

      --
      ---- Teach Peace. It's Cheaper Than War.
    8. Re: Ingenuity over Security == usually wins by Anonymous Coward · · Score: 0

      Think you meant UNhire them.

    9. Re: Ingenuity over Security == usually wins by Lumpy · · Score: 1

      you cant unhire them when you make sure you only hire people that blindly agree and follow to begin with.

      --
      Do not look at laser with remaining good eye.
    10. Re:Ingenuity over Security == usually wins by Darinbob · · Score: 1

      The problem is that there are really good reasons for IoT stuff, and yet all of the hype is over stuff that's utterly irrelevant. Consumer IoT is just stupid in my mind, and most of that stuff isn't really IoT if it's just a bluetooth connection to a phone but everyone wants to slap on that label. But IoT has been around a long time, for things like smart meters, traffic cameras, and so forth. Back in the 80s I had a job interview for devices that were meant to be put in the middle of nowhere that would transmit sensor readings up to satellites. The need is there, it just needs to get out of fantasy land and into reality.

    11. Re:Ingenuity over Security == usually wins by Darinbob · · Score: 1

      Yes, a lot of things just want to be able to report if they are malfunctioning or not. Once you do that though you end up with feature creep. Now they want to know turbine temperature every minute with less than a minute lag over a PLC link.

  4. Hard To Believe by JimSadler · · Score: 2

    Just how can such a thing as a massive, expensive, wind turbine have such a security flaw? Is it penny pinching or just sell it and get it out of here, mentality causing this type of mess?

    1. Re:Hard To Believe by Anonymous Coward · · Score: 0

      The same way voting machines and some ATMs did - utterly stupid fuckups due to taking shortcuts and not really caring about having a device fit for purpose.

    2. Re:Hard To Believe by Anonymous Coward · · Score: 0

      It is lack of expertise. Believe it or not, there is a lack of knowledgeable engineers out there in any given domain. I myself don't know enough about web scripting to understand the flaw here,a nd I have been developing for many years. But I don't do web development. This is the main problem with hopping around using and creating with new languages and scripting/web environments every few years: there isn't going to be enough time or people to learn it effectively. So some engineer just whips up something that works.

    3. Re:Hard To Believe by Anonymous Coward · · Score: 0

      People who design and build massive, expensive wind turbines don't also design and build remote administration software - they contract that out and get a state of the art implementation to bolt on. Unfortunately, the state of that particular art appears to be in the grips of severe, highly communicable brain damage.

    4. Re:Hard To Believe by bruce_the_loon · · Score: 1

      These are small turbines, 10kW for running your cabin or ranch, not the big boys you see strung out on mountains and oceans. They cost around $40k.

      Still unacceptable, but I suspect the monitoring controller was wanged on with a hammer using an off-shelf SoC controller and some Linux OS kit with a design wizard.

      --
      Trying to become famous by taking photos. Visit my homepage please.
    5. Re:Hard To Believe by Anonymous Coward · · Score: 0

      These are actually mini turbines, nothing like the utility scale wind farm turbines you are probably thinking of. And the security flaw is used to "lower the efficiency" which means it can reduce the aggressiveness of the rotor pitch and cause it to turn slower in light wind. Not really drastic "pwnage", in a few weeks the updates will be deploying nationwide and the issue will be gone. But I suspect the "hey remember when they hacked all the windmills" meme will live on in the hearts of IoT doomsdayers for a long long time.

    6. Re:Hard To Believe by bill_mcgonigle · · Score: 1

      > Is it penny pinching or just sell it and get it out of here

      OR, not XOR, of course, so yes. Secure & fast is expensive. Secure and slow can be cheaper. Insecure and cheap tends to be fast.

      But the root cause is that the manufacturers have little downside to doing this. Each wronged individual has no financial incentive to seek restitution due to the legal fees involved, and class actions are a load of horseshit. Iceland used marketable torts for about four hundred years (the wronged gets a small payment from an aggregator that then sues collectively). Then they got a Church and a King and things went downhill from there.

      So, yeah, just rearchitect the legal system to get your IoT secure ... but misaligned incentives will never produce the desired outcomes.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    7. Re:Hard To Believe by prunus.avium · · Score: 2

      Primarily it's the "I have a hammer. Every problem is a nail." syndrome. HTTP is being used for everything and HTTP is a really bad protocol.

      Okay, HTTP is a pretty good protocol for what it was designed: stateless, plain-text, request/reply with no authentication or encryption. It was designed to be open not locked down.

      The problem is we've been trying to find ways to lock down the protocol and use it in ways far beyond what it was meant for. SSL fixes the encryption problem but it can't fix inherent weaknesses in the protocol itself.

      Now, imagine you have a nifty new device that you decide needs to be on the Internet. What's the simplest way to go? Design a server program that uses the socket interface or just install a web server (Apache, nginx, ...)?

    8. Re:Hard To Believe by Anonymous Coward · · Score: 0

      Because people are terrified of shell access, using basic menus. It all has to be dumbed down with GUI after fucking GUI to today's techs. You can thank Microsoft and Apple for the retardation of engineers and the security woes plague the entire planet.

    9. Re:Hard To Believe by Anonymous Coward · · Score: 0

      Just how can such a thing as a massive, expensive, wind turbine have such a security flaw? Is it penny pinching or just sell it and get it out of here, mentality causing this type of mess?

      No, they just assume that it's going to be connected to a private management network, not just placed wide open and bare onto the internet. While yes, it would be nice to have such security flaws patched, in a properly designed network environment it's somewhat of a non-issue.

    10. Re:Hard To Believe by BVis · · Score: 1

      Believe it or not, there is a lack of knowledgeable engineers out there in any given domain that are willing to work for minimum wage.

      FTFY. There is no shortage of STEM workers, there is a shortage of STEM employers that are willing to pay market salaries. They'd rather go without an engineer than pay one enough to support themselves.

      --
      Never underestimate the power of stupid people in large groups.
    11. Re:Hard To Believe by Notorious+G · · Score: 1

      Having worked with a number of offshore software developers, I can say that penny pinching was the driver for flaws of this type. It's likely preventing "the simplest XSS attacks" was not explicitly named in the code specification along with a outline on how to accomplish it.

    12. Re:Hard To Believe by omnichad · · Score: 1

      Which TCP Protocol is the wrong network layer to point the finger at. Creating a socket interface is not inherently more secure and just adds labor hours to creating the UI. Badly formed authentication is one angle to attack with. The other is having the thing only remotely accessible when it joins itself to a VPN - which takes a lot of the security burden off yourself. Because there is no reason to have it open to the public Internet directly.

    13. Re:Hard To Believe by prunus.avium · · Score: 1

      The other is having the thing only remotely accessible when it joins itself to a VPN

      Sure. There are a number of ways to lock down the access before the HTTP traffic with firewalls or TLS and certificate validation. But the point of IoT is that users will have these things in their homes connected to their home internet connection. Joe User generally has no clue about setting up a firewall and I'm not sure he should be expected to.

      Your way puts an extra burden on Joe User. I want that extra burden placed on the IoT developers so Joe User can still have - as ESR put it - the luxury of ignorance.

    14. Re:Hard To Believe by omnichad · · Score: 1

      You have to set up your firewall to have an inbound HTTP port too. The dummy-proof way is to go the Nest route - which is a method I hate - and that's outbound connections only and everything is managed by a central server. It means your device is dead when/if the company goes under.

    15. Re:Hard To Believe by phantomfive · · Score: 1

      Security isn't prioritized. That's basically the reason.

      --
      "First they came for the slanderers and i said nothing."
  5. If your critical stuff is IOT.... by Lumpy · · Score: 2

    Then you are a complete idiot. Wind turbine, solar, etc DO NOT NEED any kind of IOT. let it spit out read only data to a public facing web server if you REALLY need to monitor your wind turbine while on vacation. and if you do, then you bought a really shitty turbine.

    Honestly all IOT designers and programmers need to be beaten with a sack of doorknobs until they stop being idiots or have some sense beaten into them. and if you hear any executive talk about IOT, instantly kick them in the groin as hard as you can.

    --
    Do not look at laser with remaining good eye.
    1. Re:If your critical stuff is IOT.... by Fire_Wraith · · Score: 3, Informative

      Which is great, except that wind farms tend to be in places like the middle of nowhere, Kansas, or a mile or so offshore. You know, places that it's not exactly easy to send a technician out to, in order to do things like change a setting. It's not just about monitoring "while on vacation" - there are often significant distances involved simply due to the sheer nature of these things.

      This isn't to say that stuff like remote access doesn't need to be looked at very very hard as to whether it's a valid use case, but you can't simply handwave away the real world factors that are contributing to that executive suggesting it's necessary. If he/she is your boss, you need to be able to state clearly what the concerns are, and figure out a way to present those security concerns as a counterweight - and be prepared that they may not outweigh the cost of physical only access. Hopefully, though, by raising security as a concern, you can at least get it taken into account so as not to be a completely soft target.

    2. Re:If your critical stuff is IOT.... by Lumpy · · Score: 3, Informative

      Here is some news for you.... Wind farms ARE NOT IOT and monitored from a iphone. They are on their own secured private network that uses secure VPN tunneling through the internet to data centers where the SCADA system controls and monitors them.

      Quite hilarious if you think that commercial and industrial uses IOT.

      --
      Do not look at laser with remaining good eye.
    3. Re:If your critical stuff is IOT.... by jeffmeden · · Score: 1

      Which is great, except that wind farms tend to be in places like the middle of nowhere, Kansas, or a mile or so offshore.

      These vulnerable turbines aren't even utility scale like you are picturing. These are backyard farm turbines and the like. Those turbines do use secure interfaces and protected networks. But hey lets shit on the IoT because one small time vendor screwed up.

    4. Re:If your critical stuff is IOT.... by thegarbz · · Score: 1

      Wind turbine, solar, etc DO NOT NEED any kind of IOT.

      What the hell is IoT? If you're talking about some kids toys with a funky web interface then yes you don't need that. If you're talking about remote network based control and data feedback then you've just mentioned the few things that most definitely do need that kind of functionality.

    5. Re:If your critical stuff is IOT.... by WillRobinson · · Score: 1

      Even with this security problems, in a "real" wind farm and not the item in this discussion (which is smaller intended for a home type) you would network all these together and have access only via vpn per farm area.

      Still does not excuse the problem of inadequate security, but direct access to internet from a large wind turbine would be a no-no for sure.

    6. Re:If your critical stuff is IOT.... by Fire_Wraith · · Score: 2

      No - they should be, but my experience tells me that "should be" isn't always the same as "actually are". Ideally people are following best security practices, but this is the real world, and there are often other factors in the equation that weaken that. If everything on the internet was as secure as marketing tells us it, and everyone followed best practices, IT security wouldn't be anywhere near as big of a problem as it is.

      I was also talking primarily about remote access, because your original post suggested that these systems need to be "read only". Whether or not you consider it to be IOT or ICS or whatever new buzzword comes into use for a computer hooked to a physical device is largely irrelevant here, because if you need to make a change on that wind turbine, you either need write access remotely, or you're going to have an engineer hopping in a truck or boat to head out to the physical turbine, and that's a problem.

    7. Re:If your critical stuff is IOT.... by Anonymous Coward · · Score: 0

      Which is great, except that wind farms tend to be in places like the middle of nowhere, Kansas, or a mile or so offshore. You know, places that it's not exactly easy to send a technician out to, in order to do things like change a setting. It's not just about monitoring "while on vacation" - there are often significant distances involved simply due to the sheer nature of these things

      There is a big difference between networking the management for a system, and exposing the management to the open Internet. There are a variety of ways to provide a way into the management network from the general internet, without directly exposing those systems TO the internet.
      The "internet of things" is a buzzword for "Fuck firewalls, VPN's, private networking, and all that noise, I'm just going to plug this shit directly into the internet!"

    8. Re:If your critical stuff is IOT.... by MightyYar · · Score: 1

      Isn't that a semantic difference? Sure, you'll throw a little embedded firewall in front - almost certainly with VPN. But it's not as if those little firewalls haven't had vulnerabilities, and the windmill itself is still a "thing" on the internet.

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    9. Re:If your critical stuff is IOT.... by Anonymous Coward · · Score: 0

      Quite naive if you think that the guys in charge of the actual installs know anything about network security, or that the beancounters running the companies care about anything other than saving money.

      Sad really, for someone with a low ID.

    10. Re:If your critical stuff is IOT.... by Anonymous Coward · · Score: 0

      What the hell is IoT? If you're talking about remote network based control and data feedback then you've just mentioned the few things that most definitely do need that kind of functionality.

      IoT is the idea that you take something, and plug it directly into the internet. If the device is instead put onto a private network, and you use some sort of VPN, firewall, or other type of authentication/access system to allow access to/from the internet, then that's not "IoT".
      So while yes, remote access is often a needed function, it never needs to be part of the "IoT".

    11. Re:If your critical stuff is IOT.... by Anonymous Coward · · Score: 0

      http://www.securityweek.com/vulnerabilities-found-several-scada-products

    12. Re:If your critical stuff is IOT.... by thegarbz · · Score: 1

      Here is some news for you.... Wind farms ARE NOT IOT and monitored from a iphone.

      Oh boy are you going to be disappointed when you find out what SCADA companies are pushing right now.

    13. Re:If your critical stuff is IOT.... by omnichad · · Score: 1

      Wind farms ARE NOT IOT

      Buzzwords become meaningless. "The cloud" is just anything that's not on your LAN. It doesn't necessarily even mean virtualization technology is in use.

    14. Re:If your critical stuff is IOT.... by omnichad · · Score: 1

      That's just subjective feelings on what the name means. I would consider the Nest thermostat to be an IoT device, but it has no open ports to the Internet. It as an outbound HTTP connection to the manufacturer's servers. And yes, there are plenty of problems with that setup, including the possible future of an already purchased product just going dead one day due to no longer being supported.

      Cloud computing just means a server on the Internet - though plenty of people imbue it with all sorts of ideas about virtualization. None of that's required for something to be called "the cloud"

    15. Re:If your critical stuff is IOT.... by Darinbob · · Score: 1

      Because it is amazingly expensive to send a union technician on a 100 mile road to see if the turbine is still spinning or not. I work with smart meters, and electric utilities get really annoyed if they have to send a tech out to look at a meter that's only a couple miles away.

    16. Re:If your critical stuff is IOT.... by Darinbob · · Score: 1

      They call it IoT even if it's on a private network. It happens to use IPv4/IPV6 so it's "internet" as far as executives are concerned. Some part of the back haul link may be on the actual internet as well.

      The problem is that "IoT" is a poorly defined concept.

    17. Re:If your critical stuff is IOT.... by Darinbob · · Score: 1

      Addendum, in some places there is not good connectivity but there happens to be cellular data coverage so an expensive phone plan may be used to get data from a device to the back office. Of course there's security. But a lot of companies want to get rid of expensive leased telephone lines and choose something slightly less expensive.

    18. Re:If your critical stuff is IOT.... by Anonymous Coward · · Score: 0

      let it spit out read only data to a public facing web server if you REALLY need to monitor your wind turbine while on vacation. and if you do, then you bought a really shitty turbine.

      The turbine manufacturer could add some more intelligence like predictive fault management, automatic over speed shutdown and recovery and such to the system. Some vibration and acoustical sensors and taught neural net should suffice. This way the turbine itself would be a little IoT network. Oh, wait.. sorry.

  6. csrf not xss by Anonymous Coward · · Score: 1

    The bug report states it is a Cross-site request forgery vulnerability, not xss:

    https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0985

    1. Re:csrf not xss by Anonymous Coward · · Score: 0

      Thank you. I was perplexed by the same thing when I read the summary. Then I read the article and was still wondering wtf. Then I read the bulletin, and that made sense. I don't know when softpedia started becoming a source for news, but I'm sure there are a lot better sources to regurgitate.

  7. This isn't rocket science by Anonymous Coward · · Score: 0

    I can understand the need to remotely monitor this kind of equipment but for goodness sake WAN and critical hardware should be physically separated. Its not rocket science, simply send data to the IOT hardware through a one way (from critical systems to the WAN/IoT board) data connection. Even if the WAN hardware is hacked it can't physically do anything to the actual critical hardware, that is unless it can light itself on fire of course.

  8. Typo by Anonymous Coward · · Score: 0

    It's ICS-CERT, not ISC-CERT

  9. Already Fixed FFS! by Anonymous Coward · · Score: 0

    From the overview summary of the fucking article:

    XZERES has produced a patch to mitigate this vulnerability.

  10. More like Appernet of Apps! by Anonymous Coward · · Score: 0

    Modern app appers know that only apps can app apps, so IoT devices should be AoA devices and only run APPS instead of LUDDITE software!

    Apps!

  11. N00bs in meta level by Anonymous Coward · · Score: 0

    portal of these portals

    This is not a basic n00b level stuff, but for the more advanced level of n00bness which can also process the meta levels required to perform this hack.

  12. Good. by Anonymous Coward · · Score: 0

    Good. Hopefully this discourages people from buying in to the "renewable energy" boondoggle.
    #nuclearftw

  13. Some things should not be on the open Internet by davidwr · · Score: 1

    Insecure device directly accessible from the open Internet? BAD.
    If that device can be programmed to hurt or kill someone or take away a critical service, VERY BAD.

    Insecure device sitting comfortably behind a dedicated security device whose only job is to protect the one insecure device? POSSIBLY OKAY for an at-home-save-buying-electricity-from-the-evil-power-company wind turbine but probably insufficient for industrial equipment or for your home-nuclear-bunker wind turbine.

    Insecure device on a private network that sits behind a dedicated security device, where other machines on the network (such as PCs) may be vulnerable to attack due to a user visiting a random web site that happens to host a "0-day" vulnerability? NOT OKAY.

    Best solutions are (in order of security):
    * Stand-alone device, but frequently this is impractical.
    * Device on a dedicated network, but unless it's all on a single campus (home-wind-turbine) or you can lease truly-isolated fiber or copper from a telco or use an encrypted/authenticated/secure radio link, this may not be practical. Even then, you'll want to encrypt your copper or fiber traffic to prevent physical-access line-snooping/injection.
    * Device only accessible through a secure VPN or similar setup.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  14. Are the links correct? by Anonymous Coward · · Score: 0

    Because I see no wind turbine. All I see is a reverse propeller with a generator attached to its axis. Not the smartest way to turn wind into electricity.